Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically, and for customers running previous versions, we recommend they turn on automatic updates as a best practice.

Security researchers play an essential role in Microsoft’s security strategy and are key to community-based defense. To show our appreciation for their hard work and partnership, each year at BlackHat North America, the Microsoft Security Response Center highlights contributions of these researchers through the list of “Top 100” security researchers reporting to Microsoft.

This list ranks security researchers reporting directly to Microsoft according to the quantity and quality of all reports for which we’ve issued fixes. While one criteria for the ranking is volume of reports a researcher has made, the severity and impact of the reports is very important to the ranking. Higher-impact issues carry more weight than lower-impact ones. While this list does not include security researchers who report to our partners ZDI and iDefense as we do not always have full information to recognize their efforts, we very much appreciate the partnership with ZDI and iDefense as they ensure that we know about any reports affecting Microsoft products.

Given the number of individuals reporting to Microsoft, anyone ranked among the Top 100 is among some of the top talent in the industry. Regardless of where security researchers are ranked in this list, we appreciate their active and ongoing participation with the Microsoft Security Response Center, and encourage new researchers to report potential vulnerabilities to us at secure@microsoft.com. We’re excited to see who’s going to be on the list next year.

Windows 10 represents the best and newest in our strong commitment to security with world-class mitigations. One of Microsoft’s longstanding strategies toward improving software security involves investing in defensive technologies that make it difficult and costly for attackers to find, exploit and leverage vulnerabilities. We built in mitigations and defenses such as DEP, ASLR, CFG, CIG, ACG, Device Guard, and Credential Guard to harden our systems and we continue adding defenses such as Windows Defender Application Guard to significantly increase protection to harden entry points while ensuring the customer experience is seamless.

In the spirit of maintaining a high security bar in Windows, we’re launching the Windows Bounty Program on July 26, 2017. This will include all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge. We’re also bumping up the pay-out range for the Hyper-V Bounty Program.

Since 2013, we have launched multiple bounties for various Windows features. Security is always changing and we prioritize different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities.

The overall program highlights:

Any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security will receive a bounty

The bounty program is sustained and will continue indefinitely at Microsoft’s discretion

Bounty payouts will range from $500 USD to $250,000 USD

If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of 10% of the highest amount they could’ve received (example: $1,500 for a RCE in Edge, $25,000 for RCE in Hyper-V)

Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically, and for customers running previous versions, we recommend they turn on automatic updates as a best practice.

As happened recently with WannaCrypt, we again face a malicious attack in the form of ransomware, Petya. In early reports, there was a lot of conflicting information reported on the attacks, including conflation of unrelated and misleading pieces of data, so Microsoft teams mobilized to investigate and analyze, enabling our Malware Protection team to release signatures to detect and protect against the malware.

Based on our investigation, the malware was initially delivered via a Ukrainian company’s (M.E.doc) update service for their finance application, which is popular in Ukraine and Russia. Once the initial compromise took hold, the ransomware used multiple tools in its arsenal to spread across impacted networks. If unpatched, the malware uses vulnerabilities CVE-2017-0144 and CVE-2017-0145 to spread across networks. Microsoft released MS17-010 in March that addressed the vulnerabilities exploited by Petya. If that technique was not effective, the malware uses other methods like harvesting of credentials and traversing networks to infect other machines. (read the Microsoft Malware Protection Center analysis here for more details.)

We recommend customers that have not yet installed security update MS17-010 to do so as soon as possible. If for some reason you cannot apply the update, we recommend a possible workaround to reduce the attack surface: disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547. In addition, consider implementing techniques like network segmentation and least privileged accounts that will further limit the impact of these types of malware attacks. For those using Windows 10, leverage capabilities like Device Guard to lock down devices and allow only trusted applications, effectively preventing malware from running. Finally, consider leveraging Windows Defender Advanced Threat Protection, which automatically detects behaviors used by this new ransomware.

The last few months has illustrated that in today’s threat landscape, cybercriminals will continue to alter their attacks and defending against this requires an equal amount of vigilance and effort. Microsoft is committed to working with partners and customers to combat the malicious efforts of these criminals.

We are continuing to investigate and will take appropriate action to protect customers.

Over the past ten months we have paid out over $200,000 USD in bounties. This collaboration with the research community has resulted in significant improvements in Edge security and has allowed us to offer more proactive security for our customers. Keeping in line with our philosophy of protecting customers and proactively partnering with researchers, today we are changing the Edge on Windows Insider Preview (WIP) bounty program from a time bound to a sustained bounty program.

Since 2013, we have launched three browser bounties to uncover specific vulnerabilities. As security is a continuous effort and not a destination, we prioritize identifying different types of vulnerabilities in different points of time. On August 4, 2016, we launched the Edge Web Platform bounty on WIP to incentivize researchers to send us remote code execution (RCE), same origin policy bypass vulnerabilities (example: UXSS), and referrer spoofing vulnerabilities in our latest browser. Microsoft is committed to delivering secure products to our customers and this bounty program helped us achieve that goal. We received many high-quality reports in Edge during this 10-month program which helped keep our customers secure.

The overall program highlights:

Any critical remote code execution or important design issue that compromises a customer’s privacy and security will receive a bounty

The bounty program is sustained and will continue indefinitely on Microsoft’s discretion

Bounty payouts will range from $500 USD to $15,000 USD

If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of $1,500 USD

Today, as part of our regular Update Tuesday schedule, we have taken action to provide additional critical security updates to address vulnerabilities that are at heightened risk of exploitation due to past nation-state activity and disclosures. Some of the releases today are new, and some are for older platforms under custom support agreements, that we are making publicly available today. Customers with automatic updates enabled are protected and there is no additional action required. For customers managing updates, or those on older platforms, we encourage them to apply these updates as soon as possible.

Our security teams actively monitor for emerging threats to help us prioritize and take appropriate action. We are committed to ensuring our customers are protected against these potential attacks and we recommend those on older platforms, such as Windows XP, prioritize downloading and applying these critical updates, which can be found in the Download Center (or alternatively in the Update Catalog).

Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies. Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly. As always, we recommend customers upgrade to the latest platforms. The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements.

As usual, customers on supported platforms with automatic updates enabled, like Windows 10 or Windows 8.1, are protected and do not need to take additional action.

Over the past 10 months, we’ve paid out more than $200,000 USD in bounties to researchers reporting vulnerabilities through the Microsoft Edge Bounty Program. Partnering with the research community has helped improve Microsoft Edge security, and to continue this collaboration, today we’re extending the end date of the Edge on Windows Insider Preview (WIP) bounty programto June 30, 2017.

Today many of our customers around the world and the critical systems they depend on were victims of malicious “WannaCrypt” software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers. This blog spells out the steps every individual and business should take to stay protected. Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.

Details are below.

In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability. For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.

For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt. As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider, that they are protected.

This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks).

We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download (see links below).

Customers who are running supported versions of the operating system (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016) will have received the security update MS17-010 in March. If customers have automatic updates enabled or have installed the update, they are protected. For other customers, we encourage them to install the update as soon as possible.

This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.

Some of the observed attacks use common phishing tactics including malicious attachments. Customers should use vigilance when opening documents from untrusted or unknown sources. For Office 365 customers we are continually monitoring and updating to protect against these kinds of threats including Ransom:Win32/WannaCrypt. More information on the malware itself is available from the Microsoft Malware Protection Center on the Windows Security blog. For those new to the Microsoft Malware Protection Center, this is a technical discussion focused on providing the IT Security Professional with information to help further protect systems.

We are working with customers to provide additional assistance as this situation evolves, and will update this blog with details as appropriate.

Update 5/22/2017: Today, we released an update to the Microsoft Malicious Software Removal Tool (MSRT) to detect and remove WannaCrypt malware. For customers that run Windows Update, the tool will detect and remove WannaCrypt and other prevalent malware infections. Customers can also manually download and run the tool by following the guidance here. The MSRT tool runs on all supported Windows machines where automatic updates are enabled, including those that aren’t running other Microsoft security products.

Today’s security updates include three updates that exemplify how the security ecosystem can come together to help protect consumers and enterprises. We would like to thank FireEye and ESET for working with us.

Customers that have the latest security updates installed are protected against the attacks described below. As a best practice to ensure customers have the latest protections, we recommend they upgrade to the most current versions.

Through the Microsoft Active Protections Program (MAPP), partners separately alerted us to closely related, targeted attacks. These attacks both used malformed Word documents to ensnare their targets through carefully crafted phishing mails intended for a very select audience. Both attacks were comprised of multiple vulnerabilities including a remote code execution flaw in the Encapsulated PostScript (EPS) filter in Office and a Windows elevation of privilege to elevate out of sandbox protections in Office. EPS files are a legacy format that has largely fallen out of favor in today’s ecosystem. For that reason, in April 2017, we released a defense-in-depth protection that turned that code path off by default for all customers. Customers who installed the cumulative update for Office last month have mitigated the attacks described below.

This attack was reported to us in late March; however, customers were already protected by the March updates. Today, to fully address the EPS vulnerability and further protect the small number of customers who may choose to continue using the EPS filter, we released an update to address the Encapsulated PostScript vulnerability.

In terms of activity, we’ve seen a limited number of targeted attempts to use this method, which is no longer valid.

2. A Word EPS + Windows EoP (CVE-2017-0262 + CVE-2017-0263)

Microsoft detected this attack in mid-April; however, customers were already protected by the April defense-in-depth update (noted above) that broke the attack chain by turning off the EPS filter by default. Today, we are releasing further updates to address the underlying filter vulnerability and the elevation of privilege vulnerability in this attack.

In terms of activity, we’ve seen a limited number of attempts to use this method, which is no longer valid.

These updates highlight the benefit of keeping current to protect against emerging malware. For consumers, Windows 10 protects customers by default, automatically deploying updates. For enterprises, utilize the guidance we publish each month with the exploitability index to help prioritize your evaluation of the updates. Additionally, using up-to-date anti-malware software like those from partners in the Microsoft Active Protections Program will help protect you from the cycle of attackers looking to quickly utilize addressed vulnerabilities.

We have long supported coordinated vulnerability disclosure as the most effective means to ensure customers and the computing ecosystem remains protected, and we work closely with security researchers worldwide who privately report concerns to us at secure@microsoft.com. When a potential vulnerability is reported to Microsoft, either from an internal or external source, the Microsoft Security Response Center (MSRC) kicks off an immediate and thorough investigation. We follow an extensive process involving thorough investigation, update development for all versions of affected products, and testing for compatibility among other operating systems and related applications. Ultimately, developing a security update is a delicate balance between timeliness and best quality. Our goal is to help ensure maximized customer protection, with minimized customer disruption.